Persistence in Cybersecurity

Learn about persistence in cybersecurity, including common malware persistence mechanisms and advanced persistent threats (APTs).

This article is from The Defender's Handbook: a knowledge base for cybersecurity enthusiasts to level up their cyber knowledge - one article at a time.

Glitch effect
Glitch effectGlitch effect

Introductions

Persistence has become a go-to attack tactic for today’s threat actors.

As hackers have evolved their tradecraft, they’ve become stealthier—ensuring that they can lurk in their desired environment for as long as they need to accomplish their mission. While other attacks, such as ransomware, are loud and overt, persistence enables attackers to stay hidden - unless defenders know what to look for.

Read on to learn: 

  • How persistence enables malware - and how defenders can use persistence to get rid of malware
  • The key differences between persistence and advanced persistent threats (APTs)
  • Where persistence lives in the cyber kill chain
  • Common persistence mechanisms
  • What persistence looks like

Common Questions

WHAT IS PERSISTENCE IN CYBERSECURITY? 

Persistence - or what we call a foothold in cybersecurity - is the method of attack that hackers use when they want to let themselves into your environments whenever they please. Read more

HOW DOES PERISISTENCE ENABLE MALWARE? 

Persistence enables malware by allowing the malware to keep running—all while the attacker remains undetected. Read more

IS PERSISTENCE ANOTHER WORD FOR AN ADVANCED PERSISTENT THREAT (APT)?

Advanced persistent threats, or APTs, are a type of persistence-enabled attack that’s more complex in nature and usually carried out by nation-state cybercrime groups. However, not all persistence-enabled attacks are APTs. Read more

WHERE DOES PERSISTENCE LIVE IN THE CYBER KILL CHAIN? 

Typically, persistence falls in the middle of the cyber kill chain. After hackers gain access to an environment, their goal is to keep that access without being detected. Read more

WHAT ARE COMMON MALWARE PERSISTENCE MECHANISMS? 

The most common malware persistence mechanisms include boot or logon autostart execution, boot or logon initialization scripts and scheduled tasks/jobs. Read more

WHAT DOES PERSISTENCE LOOK LIKE?

Persistence can be hard to spot unless you know exactly what to look for. Read more

CAN SECURITY TOOLS FIND AND ELIMINATE PERSISTENCE? 

Because persistence is designed to be a stealthy attack tactic, it recruits various evasion techniques to avoid being detected by automated tools. The best defense against persistence is human threat hunters combined with innovative technology. Read more

What is Persistence in Cybersecurity

Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware. This malware is usually hidden in legitimate startup folders or within scheduled tasks and services, making it harder to find.

After you reboot your system or log off and on again, the stub or malware is retriggered to run again. In other words, persistence enables hackers who gain access into your environments to keep it – oftentimes without you knowing they have access in the first place.

How Does Persistence Enable Malware?

Persistence can be used to keep malware running – and to spread other malware if they so choose. Attackers can use persistent malware to maintain access to a network as they search for the data they want to steal. They also sometimes use persistent malware to conduct other types of shady activity, such as click fraud or cryptojacking.

Malware Detection

Luckily, persistence can help defenders detect malware. When defenders find persistence, they can eliminate it, cutting off the threat actor’s access and stopping attackers in their tracks.It’s important to note that detecting malware is only a temporary solution to the bigger problem: persistence. If defenders don’t find the persistence in the environment, threat actors can simply recirculate the malware. Malware detection treats one symptom without addressing the root problem. That’s why it’s critical to find – and eliminate – persistence.

Is Persistence Another Word for an Advanced Persistent Threat (APT)?

Advanced persistent threats, or APTs, are a type of persistence-enabled attack. However, not all persistence-enabled attacks are APTs.Persistence-enabled attacks that are advanced—such as those carried out by nation-state cybercrime groups—are APTs. In contrast, persistence is a more general term to include both advanced attacks—as well as attacks that lower-level threat actors and groups execute.

What is an Example of an Advanced Persistent Threat?

Perhaps the most well-known example of an APT is Stuxnet. Stuxnet was created in the early 2000s by the United States’ National Security Agency (NSA) and Israel’s cyber division of their military (Unit 8200). This APT was created in an effort to disrupt Iran’s nuclear program.

This APT was groundbreaking for its time. The malware searched the operating system for Siemens Step 7 software – the software that industrial computers serving as PLCs (programmable logic controllers) used to monitor electro-mechanical equipment. Once the malware identified the software, it automatically updated the software’s code to send instructions to the equipment to damage itself. Simultaneously, the malware sent wrong information back to the main controller, allowing the malware to remain undetected – even to the humans who were monitoring the equipment – until the equipment began to malfunction.

Ultimately, Stuxnet affected more than 200,000 computers and destroyed nearly 1,000 centrifuges at Iran’s Natanz nuclear facility.

Want to take your persistence knowledge to the next level?

Download our Persistence Knowledge Kit.
It has everything you need to outsmart hackers who try to hide in plain sight.

Access Your KitGlitch graphic
Glitch effectGlitch effectGlitch effect

Persistence-Enabled Attacks: A Technical Deep Dive

Where Persistence Lives in the Cyber Kill Chain

Typically, persistence falls in the middle of the cyber kill chain. After hackers gain access to an environment, their goal is to keep that access without being detected.Below are the five main stages in the cyber kill chain.

Huntress glitch effect
Blurry glitch effectTeal ellipseTeal ellipse
Persistence cyberkill chain

What Are Common Malware Persistence Mechanisms?

MITRE ATT&CK®, which compiles information about adversary tactics based on what’s being seen in the real world, has identified 19 different known malware persistence mechanisms that attackers use to lurk in environments undetected. Out of those, we tend to see hackers establish persistence in one of three ways:

1. Boot or Logon Autostart Execution

This common malware persistence mechanism involves a hacker who abuses a legitimate operating system process—for example, a system reboot or logon. A hacker achieves persistence by adding an entry to the run keys in Windows Registry or the Startup folder. As a result, any referenced programs will be executed when a user logs in.

2. Boot or Logon Initialization Scripts

For this persistence technique, hackers typically use local credentials or an administrator account to run scripts that are automatically executed at boot or logon to establish persistence. In turn, attackers can execute other programs or send information to an internal logging server.

It's possible to decrease your chances of being impacted by this common malware persistence mechanism if you ensure proper permissions are set and restrict write access to logon scripts to specific administrators. However, this isn’t a foolproof preventive measure.

3. Scheduled Task/Job

This persistence mechanism occurs when an attacker abuses the task scheduling feature to jumpstart the initial or recurring execution of malicious code.

A common method is abusing Windows Task Scheduler, which can be used to execute programs at system startup or on a scheduled basis. As an example, TrickBot, a trojan spyware program, has been known to create scheduled tasks on compromised systems in a way that provides persistence for the attack.

Because all major operating systems feature utilities to schedule programs or scripts to be executed, this persistence mechanism is a risk for nearly everyone. The key to detecting this common malware persistence mechanism is to regularly review your task scheduler to eliminate any changes to tasks that don’t correlate with known software, patch cycles and so on.

What Persistence Looks Like

Let’s say, for example, an attacker is able to compromise a system and create a scheduled task that automatically executes the following command every time the machine starts up:

cmd /c “start /b

This kicks off a new command prompt in the background.

c:\ProgramData\48756e74.bat”

This is the location of the batch file to be executed.

At a glance, it's easy to focus on the second half of this command; there's clearly a very unusual-looking file being called. Let’s go ahead and open the file to see what’s inside:

net user eviluser “myEvilPassword” /ADD

net localgroup administrators eviluser /ADD

This batch file adds a new backdoor account with administrative privileges.

In this case, the challenge an automated security tool would have is validating malicious intent with this scheduled task -and that’s to the benefit of the attacker.

Many preventive tools require a high degree of confidence that malicious activity is occurring before stepping in. Creating a username and password through a command line prompt could actually be a legitimate administrative task. Therefore, most security products will allow the action to continue in order to avoid potential disruption for the end user. All the while, the attacker can stealthily hide in the software’s blindspots.

This is why persistence is an attacker’s greatest ally. It provides secret, backdoor access that’s hidden within the existing parts of an operating system.

Glitch effect

Huntress Persistence Data

73%

of persistent threats were found on endpoints with one preventive product present

19%

of persistent threats were found on endpoints with two preventive products present

Source: Data captured from The Huntress Managed Security Platform, which detects persistent footholds and other cyberthreats, January – May, 2021 (Base = 2,566)

Glitch effect

Can Security Tools Find and Eliminate Persistence?

Many companies that produce security tools claim they can find and eliminate persistence through artificial intelligence (AI) and automation. The problem is that persistence, by design, is stealthy to remain undetected. It often accomplishes this by using forms of obfuscation or evasion techniques that automated tools won’t catch.

Humans, on the other hand, have the contextual awareness to see if something doesn’t look right. This is why threat hunting combines innovative technology with human intelligence to identify attacks that are missed by automated security tools alone.Human threat hunters and innovative technology are the dynamic duo that can find and eliminate persistence.

Want to learn more about finding and stopping persistent threats?

The Huntress Managed Security Platform was designed to detect persistence mechanisms to identify ​and evict threat actors from your environments. Sign up for a free trial If you’d like to see The Huntress Managed Security Platform in action against persistent threats.

Start for FreeGlitch graphic
Glitch effectGlitch effectGlitch effect